Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: document and protect against unsafe use of ServeFile #14110

Closed
bradfitz opened this issue Jan 27, 2016 · 2 comments

Comments

Projects
None yet
3 participants
@bradfitz
Copy link
Member

commented Jan 27, 2016

Martin Lenord notes:

I've seen this method of handling static files crop up a couple of times:
http://stackoverflow.com/questions/25945538/go-golang-to-serve-a-specific-html-file
http://jessekallhoff.com/2013/04/14/go-web-apps-serving-static-files/

Using http.ServeFile(w, r, r.URL.Path[1:]) to serve up a directory.
...

Normally ServeMux protects against this on accident, but it's not a good defense because there are ways around it and not everybody uses ServeMux.

We should instead document louder that it's unsafe, and add some protections against it.

@bradfitz bradfitz self-assigned this Jan 27, 2016

@bradfitz bradfitz added this to the Go1.6 milestone Jan 27, 2016

@gopherbot

This comment has been minimized.

Copy link

commented Jan 27, 2016

CL https://golang.org/cl/18939 mentions this issue.

@gopherbot gopherbot closed this in 9b67a5d Jan 27, 2016

@nhooyr

This comment has been minimized.

Copy link
Contributor

commented Jul 11, 2016

what ways are there around ServeMux's defence on this?

@golang golang locked and limited conversation to collaborators Jul 11, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.